Passwords Are a Problem. Are Emojis the Answer?

As much fun as it might be to use see-no-evil monkey, flushed face, weary-cat face, and that weird emoji that looks like The Scream as a PIN, it may not be the best idea from a security standpoint.

Wait. What? Emoji as a PIN? Yep.

On Monday, U.K.-based Intelligent Environments announced a new tool via its Android banking app that will let users log into their bank account using emoji instead of the typical four-digit PIN. A short demo video makes the app look a lot like any other four-digit code entry system but with emoji instead of numerals.

This is much more than a digital novelty for the smartphone age. From a security standpoint, users can choose a combination from 44 emoji instead of 10 digits, meaning there are 480 times as many permutations as there are with a standard four-digit PIN. Technically, this makes Intelligent Environments’ app mathematically more secure.

Though the concept might seem gimmicky, Intelligent Environments argues emoji is the United Kingdom’s fastest growing language. While it has its limitations, transitioning from a language used exclusively for casual communication to one used for far more formal endeavors takes the glyph system in a new direction. Earlier this month, a Swedish children’s rights organization released Abused Emoji, an app designed to help youngsters communicate their experiences with abuse and other trauma.

Still, using emoji for something so vital as a password has distinct limitations—not the least of which is that no one’s ready for it. Not all websites recognize emoji, which makes web-authentication a nonstarter. Traditional computers lack a convenient input system for emoji—one day everyone will have emoji keyboards, but that day is not today. And perhaps most importantly, even with a bank of 44 emoji to choose from, a four-emoji PIN is quite vulnerable to brute force attacks, particularly in any system that doesn’t lock out a potential intruder after a set number of incorrect attempts.

“My problem with the username and password system is that we’re essentially using something that was first invented 20 years ago,” says Steve Gibson of Gibson Research Corporation. “That idea’s lasted as long as it has because it’s fundamental.”

Gibson created SpinRite and Shields Up, two popular services that facilitate hard-disk recovery and port-scanning. The PC has been the nucleus of his career, and in the last 15 years, he’s shifted his focus to security. Of course, he acknowledges the weaknesses of our current username/password system. “In the current ecosystem,” he says, “users should not reuse the same password”—a vulnerability which, it’s worth noting, easily could be replicated in an emoji-based system. Gibson also notes that our predilection for laughably weak passwords like “123456” isn’t helping matters.

On some level, people all know better. Nearly every site prompts visitors to create an account, which results in dozens of passwords. And even password managers can’t be entirely trusted, as LastPass’s recent breach proves.

Gibson’s hard at work on something called SQRL—Secure Quick Reliable Login—that he hopes will take the messy work of password creation out of users’ hands. Though SQRL is in development and not yet widely available, it uses a combination of public and private keys to generate unique and functionally anonymous identities for integrated sites that typically require usernames and passwords. No, it’s not emoji-based, but like Intelligent Environments’s solution, it is an attempt to move beyond alphanumeric security.

Whether SQRL or emoji can solve the password problem remains to be seen, but the point, for now, is moot. Neither approach is widely available. But if anything is begging for disruption, it’s the password.